[tor-talk] misconfigured mailing list (mailman software) for torproject discloses passwords in plaintext (stores too?)
Roger Dingledine
arma at mit.edu
Fri Nov 9 23:41:06 UTC 2012
On Fri, Nov 09, 2012 at 06:09:36PM -0500, Matthew Fisch wrote:
> I used a unique random password for this mailing list, I'm going to
>guess however a significant portion of the mailing list either uses this
>password in other locations, a significant subset of them probably can't
>trust their mailbox to be secure.
I won't use the phrase "industry standard mailing list software" because
I hate it when other people use that phrase. But really, this is how
every free-software mailing list system works these days.
I'd be surprised if more than a trivial number of users on the Tor
lists picked a password at all. Typically people just let it choose
a random password for them, and it's nice to have that reminder sent
monthly because nobody ever knows their list password (for good reason --
there's barely a need to have a password for a mailing list subscription
in the first place).
Maybe we should find a way to wrestle it into not letting you pick a
password for yourself?
--Roger
More information about the tor-talk
mailing list